Facebook disclosed on Friday that hackers stole digital login codes allowing them to assume control over nearly 50 million user accounts in its worst security breach ever given the unprecedented level of potential access, according to a report in Reuters.
The social media giant said it has yet to determine whether the attacker misused any accounts or stole private information. It also has not identified the attacker’s location or whether specific victims were targeted, reported Reuters.
Chief executive Mark Zuckerberg described the incident as “really serious” in a conference call with reporters. His account was affected along with that of chief operating officer Sheryl Sandberg, a spokeswoman said as per the report.
Shares in Facebook fell 2.6 percent on Friday, weighing on major Wall Street stock indexes.
Earlier this year, Facebook was in the news after profile details from 87 million users were improperly accessed by political data firm Cambridge Analytica. The disclosure has prompted government inquiries into the company’s privacy practices across the world, and fueled a “#deleteFacebook” social movement among consumers, said Reuters.
US lawmakers said on Friday that the hack may boost calls for data privacy legislation.
Reuters reported that Facebook’s latest vulnerability had existed since July 2017, but the company first identified it on Tuesday after spotting a “fairly large” increase in use of its “view as” privacy feature on Sept. 16, executives said.
“View as” allows users to verify their privacy settings by seeing what their own profile looks like to someone else. The flaw inadvertently gave the devices of “view as” users the wrong digital code, which, like a browser cookie, keeps users signed in to a service across multiple visits.
That code could allow the person using “view as” to post and browse from someone else’s Facebook account, potentially exposing private messages, photos and posts. The attacker also could have gained full access to victims’ accounts on any third-party app or website where they had logged in with Facebook credentials, the report revealed.
Guy Rosen, the Facebook VP in charge of security, said the flaw was “complex” in that it resulted from three failings.
A video upload feature should not have displayed on a user’s profile page when accessed through “view as,” Rosen told reporters on a conference call. That alone would not have been problematic except that the video feature wrongly triggered the placement of the powerful login code. And it placed the code not for the “view as” user, but for who they were pretending to be.
Facebook fixed the issue on Thursday. It also notified the US Federal Bureau of Investigation, Department of Homeland Security, Congressional aides and the Data Protection Commission in Ireland, where the company has European headquarters.
The Irish authority expressed concern in a statement that Facebook has been “unable to clarify the nature of the breach and risk to users” and said it was pressing Facebook for answers.
Facebook reset the digital keys of the 50 million affected accounts, and as a precaution temporarily disabled “view as” and reset those keys for another 40 million that have been looked up through “view as” over the last year.
About 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said.
Two Facebook users sued the company over the breach in federal court in California on Friday. More than 6,000 users complained about the breach on Zuckerberg’s Facebook page, said Reuters.
The level of concern expressed on Facebook was enough that the company’s automated system temporarily blocked sharing of some articles about the breach, according to Reuters.
“Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam,” a message told users. Facebook later apologised for the misfire, said Reuters.